Delaware has joined a growing number of states in updating and strengthening its data breach law. The new law expands the definition of what is considered personal information, requires companies to “implement and maintain reasonable security” for personal information in their possession, institutes a 60-day deadline for reporting the breach and mandates one year of free credit monitoring should a social security number be included in the breach. If your company has customers within the state of Delaware here a few key aspects of which you should be aware.
- Personal information. The definition of “personal information” has been expanded to meet the ever changing landscape of electronic information. Two aspects of the new definition that companies should be aware of are usernames or email, in combination with a password or security question and answer, and biometric data. Usernames may not generally be thought of as something that require extra protection. However, as more and more people operate online and such credentials open the door to more risks of harm, states have started to protect such IDs and related credentials. Biometric data has been added to a number of updated breach notification laws, as well. With cell phones using fingerprints to unlock and the growth in using facial recognition technology, the collection of biometric data and safeguarding becomes a greater priority for companies.
- Write it down. Companies need to be able to demonstrate that they have implemented and maintained reasonable security to protect the personal information that they collect. This requirement of the Delaware law is something that companies should be doing already as a best practice. However, it is not enough to just safeguard the information, you should have all of your efforts reduced to writing in the form of policies and procedures. If it is important enough to do, it is important enough to reduce to writing. Such documentation can not only help you satisfy the Delaware’s law’s requirements; it can demonstrate to a court or other regulators that you have been diligent in your data governance efforts.
- The clock is ticking. The requirement of a 60-day deadline is something companies also need to be aware of. When a breach is detected your company is on the clock and needs to investigate and notify the public of the breach. This is easier said than done for any company. There are a multitude of factors to consider prior to disclosing a breach of customer information. Your company wants to be accurate with what information was impacted by the breach. You also want to determine if a breach has occurred that requires notification. What may initially appear as a breach on the surface may not rise to that level upon further investigation.
- Credit monitoring. If you have a breach involving the Social Security Number, the new law requires that you offer credit monitoring services for one year. Delaware follows Connecticut’s lead in mandating this service. With this addition to the law, companies should evaluate their cyber-insurance policies for coverage concerning notification and credit monitoring services. These two aspects can sometimes be the costliest aspect of breach.
Delaware is certainly not the last state to revise its breach-related laws. This is just the latest. As more and more companies traffic in personal information, we can expect the opportunities and risks to increase as well. Companies should anticipate and plan for improving data governance practices to not only comply with the law, but to improve their ability to address security incidents efficiently, survive breaches and even capitalize on the ways they can better serve their customers.
This is part 1 of a 2-part series. Part 2 will cover how creation of an incident response plan can help in meeting these needs.
Brian Eaton is a member of the Taft Privacy and Data Security practice area and is a Certified Information Privacy Professional in U.S. privacy law.